mem leak was the (unnecessary) strdup
--nk
Index: tftp_grab_file.c
===================================================================
RCS file: /usr/local/cvs/nessus-plugins/plugins/tftp_grab_file/tftp_grab_file.c,v
retrieving revision 1.4
diff -u -r1.4 tftp_grab_file.c
--- tftp_grab_file.c 17 Dec 2001 15:09:54 -0000 1.4
+++ tftp_grab_file.c 26 Jun 2002 17:49:52 -0000
@@ -34,10 +34,10 @@
#define NAME "TFTP get file"
#define DESC "\
The TFTP (Trivial File Transfer Protocol) allows\n\
-remote user to read file withour having to log in.\n\
+remote users to read files without having to log in.\n\
This may be a big security flaw, especially if tftpd\n\
(the TFTP server) is not well configured by the\n\
-admin of the remote host\n\
+admin of the remote host.\n\
Solution : disable it\n\
Risk factor : High"
@@ -52,7 +52,7 @@
Facteur de risque : Elevé"
#define COPYRIGHT "no copyright"
-#define SUMM "Attempts to grab a via through tftp"
+#define SUMM "Attempts to grab a file through tftp"
PlugExport int plugin_init(struct arglist *desc);
@@ -83,14 +83,13 @@
char * test_file = get_preference(env, "test_file");
char * file = NULL;
int b;
- int i;
fd_set read_set;
char * report;
int flaw = 0;
int len = sizeof(struct sockaddr_in);
struct timeval timeout = {10,0};
- if(!test_file)test_file = strdup("/etc/passwd");
+ if(!test_file)test_file = "/etc/passwd";
packet = (struct tftp_header *)p_packet;
packet->th_opcode=htons(RRQ);
@@ -125,16 +124,15 @@
if(ntohs(packet->th_opcode)==3)
{
/* We receive some data : there is a flaw */
- char * tmp = NULL;
+ char * tmp = emalloc(512);
char * tmp2;
flaw++;
- tmp = emalloc(512);
sprintf(tmp, "%s", packet->th_msg);
if(!file)tmp2 = emalloc(strlen(tmp)+1);
else tmp2 = emalloc(strlen(file)+strlen(tmp)+1);
if(!file)strncpy(tmp2, tmp, strlen(tmp));
- else sprintf(tmp2, "%s%s", file,tmp);
+ else sprintf(tmp2, "%s%s", file, tmp);
if(file)efree(&file);
file = emalloc(strlen(tmp2)+1);
strncpy(file, tmp2, strlen(tmp2));
@@ -155,10 +153,10 @@
sprintf(report, "It was possible to retrieve the file %s\n\
through tftp. Here is what we could grab : \n%s\n\n\
Solution : disable the tftp daemon, or if you really need it\n\
-run it in a chrooted environnement", test_file, file);
+run it in a chrooted environment", test_file, file);
efree(&file);
plug_set_key(env, "tftp/get_file", ARG_INT, (void*)1);
- post_hole_udp(env, 69,report);
+ post_hole_udp(env, 69, report);
}
return(0);
}
--nk
Index: tftp_grab_file.c
===================================================================
RCS file: /usr/local/cvs/nessus-plugins/plugins/tftp_grab_file/tftp_grab_file.c,v
retrieving revision 1.4
diff -u -r1.4 tftp_grab_file.c
--- tftp_grab_file.c 17 Dec 2001 15:09:54 -0000 1.4
+++ tftp_grab_file.c 26 Jun 2002 17:49:52 -0000
@@ -34,10 +34,10 @@
#define NAME "TFTP get file"
#define DESC "\
The TFTP (Trivial File Transfer Protocol) allows\n\
-remote user to read file withour having to log in.\n\
+remote users to read files without having to log in.\n\
This may be a big security flaw, especially if tftpd\n\
(the TFTP server) is not well configured by the\n\
-admin of the remote host\n\
+admin of the remote host.\n\
Solution : disable it\n\
Risk factor : High"
@@ -52,7 +52,7 @@
Facteur de risque : Elevé"
#define COPYRIGHT "no copyright"
-#define SUMM "Attempts to grab a via through tftp"
+#define SUMM "Attempts to grab a file through tftp"
PlugExport int plugin_init(struct arglist *desc);
@@ -83,14 +83,13 @@
char * test_file = get_preference(env, "test_file");
char * file = NULL;
int b;
- int i;
fd_set read_set;
char * report;
int flaw = 0;
int len = sizeof(struct sockaddr_in);
struct timeval timeout = {10,0};
- if(!test_file)test_file = strdup("/etc/passwd");
+ if(!test_file)test_file = "/etc/passwd";
packet = (struct tftp_header *)p_packet;
packet->th_opcode=htons(RRQ);
@@ -125,16 +124,15 @@
if(ntohs(packet->th_opcode)==3)
{
/* We receive some data : there is a flaw */
- char * tmp = NULL;
+ char * tmp = emalloc(512);
char * tmp2;
flaw++;
- tmp = emalloc(512);
sprintf(tmp, "%s", packet->th_msg);
if(!file)tmp2 = emalloc(strlen(tmp)+1);
else tmp2 = emalloc(strlen(file)+strlen(tmp)+1);
if(!file)strncpy(tmp2, tmp, strlen(tmp));
- else sprintf(tmp2, "%s%s", file,tmp);
+ else sprintf(tmp2, "%s%s", file, tmp);
if(file)efree(&file);
file = emalloc(strlen(tmp2)+1);
strncpy(file, tmp2, strlen(tmp2));
@@ -155,10 +153,10 @@
sprintf(report, "It was possible to retrieve the file %s\n\
through tftp. Here is what we could grab : \n%s\n\n\
Solution : disable the tftp daemon, or if you really need it\n\
-run it in a chrooted environnement", test_file, file);
+run it in a chrooted environment", test_file, file);
efree(&file);
plug_set_key(env, "tftp/get_file", ARG_INT, (void*)1);
- post_hole_udp(env, 69,report);
+ post_hole_udp(env, 69, report);
}
return(0);
}